Security and AI‑operations firm Rubrik has warned that enterprise adoption of agentic AI is outpacing the ability to secure these autonomous systems, with new research from Rubrik Zero Labs highlighting a critical gap between innovation and identity‑governance controls. The report, titled The State of the Agent: Understanding Adoption, Risk, and Mitigation, is based on a survey of more than 1,600 global IT and security leaders and a technical analysis of AI‑agent attack vectors.
The data shows that many organisations are already deploying AI agents into production without the observability, governance, or recovery mechanisms required to manage them effectively. The report also highlights India‑specific patterns, where AI‑agent adoption is advancing rapidly even as security‑readiness lags.
Identity Governance and the “Shadow Workforce”
Rubrik Zero Labs found that only 26% of Indian enterprises report full visibility into the AI agents operating in their environments, a figure the report notes is likely over‑stated. The result is a growing pool of non‑human identities tied to AI agents that operate with persistent access and limited oversight, creating a “shadow workforce” that can trigger decisions, execute actions, and interact with sensitive data.
The gap is compounded by identity sprawl, as non‑human identities proliferate faster than enterprises can track or govern them. Many of these identities operate with broad privileges and minimal rotation or monitoring, opening new pathways for misuse, compromise, and lateral movement within corporate systems.
Operational Strain and Recovery Challenges
The report also finds that 82% of Indian respondents say AI agents require more manual oversight than they save in efficiency, indicating that automation is not yet delivering the expected productivity gains. At the same time, 81% of Indian organisations say they lack the ability to roll back agent actions without causing system disruption, making recovery and remediation a major risk as agent‑driven incidents increase.
Nearly nine in ten IT and security leaders globally expressed concern about meeting recovery objectives as agent‑driven threats rise. The findings suggest that, for many enterprises, the bottleneck is no longer just deploying AI agents but managing their lifecycle, revoking actions, and maintaining control when those systems behave unexpectedly or are compromised.
Threat Landscape and Board‑Level Signals
Rubrik’s research notes that nearly half of global respondents expect agentic systems to drive the majority of attacks in the coming year, reflecting a broader shift in how adversaries leverage autonomous systems. Autonomous agents can compress attack timelines, scale operations, and blur the distinction between insider‑style activity and external compromise.
The report also highlights a regional nuance: 66% of Indian respondents believe AI security guidance is still too theoretical or early‑stage to be practical, even as 38% of Indian organisations expect up to 50% of cyberattacks in the next 12 months could be driven by agentic AI. The data collectively points to a widening gap between where organisations are deploying AI agents and how well they can monitor, govern, and recover from agent‑related incidents.
